Get documents about "Electronic Device Security Policy
Document Sample
Electronic Device Security Policy Approved January 4, 2009
Policy Title: Electronic Device Security Policy
Policy Number: IT Services – March 7, 2008 - ITS-08-002
Established: December 5, 2008 by IT Steering Committee
Approved by: VP, Admin & Finance
Provost & VP Academic
Last Approval Date: January 4, 2009
Revision Date: NA
Position Responsible for Maintaining and Administering the Policy: Executive
Director IT Services
Contact: Roger Lauzon
(519) 253-3000; ext: 2740
Policy Statement: To establish safeguards for password protected access to confidential
information on portable, fixed media and other computing hardware, including the
connection of devices to the campus network.
Purpose: Electronic devices with access to confidential information that are not
password protected have the potential to significantly impact the University with respect
to its legal obligation to provide a secure electronic environment should said information
become accessible publicly. In the event that devices are lost, stolen, or otherwise
compromised, access by a third party is more difficult if the device is “power-on” or
“application specific” password protected, and encrypted confidential information
provides reasonable protection from access by any third party.
Electronic devices with access to confidential information may place the University at
risk for maintaining its obligations inclusive of, but not limited to, the Freedom of
Information and Protection of Privacy Act (FIPPA), where protection to prevent
unauthorized disclosure must be upheld. It is therefore reasonable that all electronic
confidential information that may be transmitted over public networks, or that is stored
on machines, shall be encrypted, and accessed only using electronic devices that are
“power-on” or “application specific” password protected in accordance with this Policy.
IT Steering Committee 1
Electronic Device Security Policy Approved January 4, 2009
Scope: Electronic devices are inclusive of, but not limited to laptop, desktop and tablet
computers; cell phones; Blackberry and other PDA’s; USB memory sticks and other
drive storage media, used for search, storage or retrieval of confidential information.
All faculty, staff or students with access to encrypted confidential information
electronically are responsible for ensuring that devices are “power-on” password
protected (i.e. when the device launches the operating system) or “application specific”
password protected (i.e. when an end-user application is used) for access to the
information.
Exceptions to Policy: None
1
Cross-References: Policy # ________ Records Management Initiative, Approved June 7, 2006
Definitions:
Confidential Information:
In accordance with the University of Windsor, Records Management Initiative1,
including life-cycle, disclosure and harm as defined therein, “confidential” includes
information that for any one of a number of reasons should only be disclosed to specific
people or groups and is not for general circulation. The information contained therein is
typically sensitive in nature and may be:
• Recorded information about an identifiable individual (“Personal”
Information); or
• Recorded information relating to the business of the university or a third
party, including but not limited to, trade secrets and commercial, financial,
scientific, technical or labour relations information.
Information and/or records may be considered confidential if:
• The information was supplied either explicitly or implicitly in confidence;
AND
• Its release could result in some harm to either the university or a third party.
Procedures:
General
The University affirms the importance of ensuring confidential information remains
reasonably secure from electronic access publicly, and that enforcement of the use of
passwords for access to devices and or applications provides assurances that information
will be protected more so than if no passwords were used. The University is committed
to the protection of privacy and confidential information of individuals who learn, visit,
research, or otherwise work at the University by the enforcement of access, encryption
and other security requirements to information accessible by portable computer and other
devices, including:
IT Steering Committee 2
Electronic Device Security Policy Approved January 4, 2009
i) As a general rule, confidential information contained in University records
accessible electronically must be secure from public access at all times, in
any machine readable form, including but not limited to whether information
is in transit on a network, or stored on a device;
ii) The use of mobile electronic devices in use by those with access to
confidential information have a higher risk of potential loss or misuse and
therefore appropriate security measures be enforced;
iii) The collection, retention, use, disclosure and destruction of confidential
information contained in University records accessible electronically shall be
regulated in a manner that will protect the privacy of individuals who are the
subject of that information.
Password Protection and Access
Protection
Password security shall be the sole responsibility of the user only if the user is solely
responsible for the administration of the password, including establishment, maintenance,
storage, recovery and destruction of the password. Notwithstanding the above, the
University shall be responsible only with respect to its Enforcement of the Access Rights
(see below), Password Acceptable Use and Recovery, including its Issue and Use of
Passwords, and its Retention, Disposal and Recovery of Passwords (see below,
respectively), or as otherwise defined herein.
Password security protection requires that all persons with access to individual or
application specific passwords, shall be authorized only by the University for access to
confidential information in accordance with this Policy. All passwords shall be retained
by individuals and machine resources, as confidential information in compliance with this
Policy.
Access Rights
i) The right of use and access affirmed by this Policy should normally be
implemented by providing and enforcing a password mechanism for the
provision and recovery of passwords for all device users where information is
accessible or stored.
ii) Where the request for password access pertains to either a device or to
information, a personal verification mechanism will be made available that
ensures reasonably, that individuals provided with access rights, are the
password holders.
Enforcement of the Access Rights
The University grants access to the use of passwords and encryption protocols, as well as
the policies and mechanisms of enforcement, that it controls, respectively. The
University may, at its sole discretion, refuse access to either passwords or information
that it controls, respectively, in enforcement of this Policy.
IT Steering Committee 3
Electronic Device Security Policy Approved January 4, 2009
Password Acceptable Use and Recovery
Issue and Use of Passwords
The University shall issue passwords and manage a password management system that
provides security for those using passwords, such that only those with authorized access
to issue and manage passwords shall be granted access to the password management
system.
The University shall not issue and manage passwords in its custody or under its control
except:
i) for the purpose for which it was obtained or compiled for a consistent
purpose;
ii) where the person to whom the information relates has identified that
information in particular and has consented to its use; or
iii) to administer confidential information in its records for the purpose of its
own activities.
Retention, Disposal and Recovery of Passwords
The University shall take reasonable precautions to protect the security of passwords and
shall retain passwords only when necessary for recovery, and shall make reasonable
arrangements for the archival, disposal or destruction of passwords when they are no
longer needed by a person or machine resource.
Relationship with other University policies, guidelines and procedures
Policy and Procedure Review
The University shall develop new or revised policies, guidelines and procedures to take
into account the principles and responsibilities set forth herein as needed by the
University.
Existing Policies and Practices
This Policy and its guidelines and procedures are not intended to replace or restrict
existing procedures and practices within the University relating to access to information
that is not confidential information, and where such procedures and practices give access
equal to or greater protection than that provided in this Policy.
i) Where a separate written University policy has been adopted, its provisions, in
the event of conflict, will take precedence over this Policy, provided that such
conflicting provisions are also consistent with the Freedom of Information and
Protection of Privacy Act.
Client Responsibilities
The Client Responsibilities section is an integral component of this policy and should be
reviewed. Please refer to Appendix A.
IT Steering Committee 4
Electronic Device Security Policy Approved January 4, 2009
Enforcement
The University strictly prohibits the use of any end-user device without “power-on” or
“application specific” password protection used to access confidential information. The
University also prohibits the access of confidential information over an unsecure public
network used by those without authorization to view the information. Where password
usage and or data encryption are capable on devices, and are enforceable through the use
of technology or by other means, it shall be enforced by the University.
Review Process for Policies
The policy will be reviewed every 5 years. Under the following circumstances the policy
may be reviewed before the 5 year term: changes in legislation that affect the policy; a
specific incident triggers a review of the policy; there is a request made by senior
management or the Board of Governors to review the policy.
Process for Communicating Policies
The policy will be posted on the University of Windsor’s policy webpage, within two
weeks of the approval of the policy, and Public Affairs and Communications will be
asked to disseminate the information to the campus through the Daily News. A memo
will also be sent to all departments.
Contact Information: inquiries regarding the policy should be directed to Kelly Bondy,
Secretary to the Executive Director IT Services (kbondy@uwindsor.ca ext: 2740).
Appendices:
Appendix A: Electronic Device Security Policy: Client Responsibilities
Appendix B: Electronic Device Security Policy: Summary of Considerations
Appendix C: Electronic Device Security Policy: Glossary
IT Steering Committee 5
Related docs
